FMX Support
Center

 

support

Follow

FMX Single Sign-On for Active Directory Federation Services (AD FS)

What is single sign-on? What is involved in the integration?

Single sign on is a workflow that allows users within an organization to access their FMX site without entering a username or password. The user’s log in information is automatically obtained from the organization’s internal network and passed through to FMX behind the scenes. The integration consists of the organization’s IT department configuring their Active Directory system to support the connection with FMX. Skip this if your company is not using the single-sign on integration. If your company has chosen to use single-sign on integration, please read the directions below.

FMX supports the WS-Federation specification for single sign-on (SSO) integration.To integrate with an on-premise Active Directory installation, Active Directory Federation Services (AD FS) 2.0 is required.  Users without an on-premise directory such as Office 365 users can integrate with FMX using Windows Azure Active Directory.

 

Scenario 1: On-Premise Active Directory with existing AD FS 2.0 installation

Add FMX as a relying party using the following information (refer to Scenario 2 for more detailed instructions on how to do this):

WS-Federation URL

  • https://yourcompany.gofmx.com/federationmetadata/2007-06/federationmetadata.xml

Claims rules

Completing integration

Simply provide FMX with the federation metadata document that AD FS generates.  You can find this document at the following URL:

  • https://<your-ad-fs-server-hostname>/FederationMetadata/2007-06/FederationMetadata.xml

Note, this document is different from the one that was used to add FMX as a relying party.  If your AD FS metadata document is exposed to the public internet (recommended) then you can simply provide FMX with its URL.  However, if your AD FS server is only accessible from your organization's internal network then you'll need to provide a copy of the document.

Considerations

The disadvantage of providing a copy of the metadata document as opposed to a URL is the document contains a token signing certificate that expires, usually after one year, at which point you'll need to provide another copy.  Also, it may cause an interruption in service if the certificate expires before you're able to provide FMX with a new copy.  By providing a URL, FMX will seamlessly and automatically synchronize changes to your document in order to keep the certificate current.

Next steps

Click here to learn how to configure AD FS to synchronize user access permissions.

 

Scenario 2: On-Premise Active Directory, no existing AD FS 2.0 installation

(This procedure was written for Windows Server 2008 R2.  The steps may be slightly different for newer versions of Windows Server.)

Install AD FS 2.0

  1. Download and run the AD FS 2.0 installer from: http://www.microsoft.com/en-us/download/details.aspx?id=10909
  2. Choose "Federation server"
  3. Check "Start the AD FS 2.0 Management snap-in when this wizard closes" and close the installer

Configure AD FS 2.0

  1. From the "AD FS 2.0 Management" snap-in, click "AD FS 2.0 Federation Server Configuration Wizard"
  2. Choose "Create a new Federation Service"
  3. Choose "Stand-alone federation server"
  4. Select an SSL certificate (you should use a publicly signed certificate if users will authenticate outside of your internal network) and use the default Federation Service name
  5. Verify the following HTTP endpoints are accessible using a web browser:
    • Federation metadata document: https://<your-ad-fs-server-hostname>/FederationMetadata/2007-06/FederationMetadata.xml
    • Passive requestor endpoint: https://<your-ad-fs-server-hostname>/adfs/ls/ (should return an AD FS error page)

Add FMX as a relying party

  1. From the "AD FS 2.0 Management" snap-in, click "Add Relying Party Trust..." to start the Add Relying Party Trust Wizard
  2. Choose "Import data about the relying party published online or on a local network" and enter the FMX federation metadata URL: https://yourcompany.gofmx.com/federationmetadata/2007-06/federationmetadata.xml
  3. Choose "Permit all users to access this relying party"
  4. Check "Open the Edit Transform Claim Rule dialog for this relying party trust when the wizard closes" and close the wizard
  5. Click "Add Rule..." to start the Add Transform Claim Rule Wizard
  6. Choose "Send LDAP Attributes as Claims"
  7. Choose "Active Directory" and map the following LDAP attributes to outgoing claim types:

Completing integration

Simply provide FMX with the federation metadata document that AD FS generates.  You can find this document at the following URL:

  • https://<your-ad-fs-server-hostname>/FederationMetadata/2007-06/FederationMetadata.xml

Note, this document is different from the one that was used to add FMX as a relying party.  If your AD FS metadata document is exposed to the public internet (recommended) then you can simply provide FMX with its URL.  However, if your AD FS server is only accessible from your organization's internal network then you'll need to provide a copy of the document.

Considerations

The disadvantage of providing a copy of the metadata document as opposed to a URL is the document contains a token signing certificate that expires, usually after one year, at which point you'll need to provide another copy.  Also, it may cause an interruption in service if the certificate expires before you're able to provide FMX with a new copy.  By providing a URL, FMX will seamlessly and automatically synchronize changes to your document in order to keep the certificate current.

Next steps

Click here to learn how to configure AD FS to synchronize user access permissions.

 

Scenario 3: Office 365 / Azure Active Directory

  1. Log in to Windows Azure Portal at: https://manage.windowsazure.com/ 
  2. Click "Active Directory" link at bottom of left nav
  3. Click "->" of single record in active directory grid
  4. Click "Applications" tab in top nav
  5. Click "Add" in bottom nav:
    • Click "Add an application my organization is developing"
    • Enter "FMX" for name and select "Web application and/or web API" for type
    • Enter "https://yourcompany.gofmx.com/login" for "Sign-on URL" and "https://yourcompany.gofmx.com/" for "App ID URI"
  6. Click "Configure" tab in top nav
  7. Replace "Reply URL" with "https://yourcompany.gofmx.com/login/ws-federation/callback"
  8. Click "Save" in bottom nav
  9. Click "View Endpoints" in bottom nav:
    • Record the "Federation Metadata Document" field
  10. Click "Users" tab in top nav
  11. Select a user who should have access to FMX and click "Assign" in bottom nav
  12. Repeat steps 10 and 11 for each user who should have access to FMX

To complete the integration, provide FMX with the value of the "Federation Metadata Document" field.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Contact Us

If you can’t find the answer you are looking for, contact support@gofmx.com.


Questions about FMX? We’re here to help!

We are a dedicated team of individuals who are passionate about helping people have better lives.
We’ll make sure your team gets up and running quickly and smoothly with FMX.
Give us a call at 1 (844) 664-4400 or send us an email at support@gofmx.com.

dedicated team of individuals